Reputation: 11
Problem with Keycloak and logout from SAML identity provider
I have problem with Keycloak's configuration and Single Logout from SAML Identity Provider.
Scenario:
- User tries to log into Service Provider using Keycloak's client (OID)
- KC redirects to SAML identity provider
- Entering correct credentials, user is logged in, KC creates session and user is redirected back to SP page
- In another tab user directly logs into IP (no credentials are needed because of SSO)
- User logs out from SP
- After refresh 2nd tab (IP), user is logged out.
However, if user logs out from IP first, SP session is not closed and user is still logged in:
- User logs out from IP (redirect to KC endpoint and return back to IP login page)
- After refresh, user is still logged in SP
Keycloak correctly receives samlp:LogoutRequest request and returns <samlp:LogoutResponse ... samlp:Status<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status></samlp:LogoutResponse>
In KC admin console I can still see there is active session for given client (and user). Actually I can see SAML logout request from IP only in KC stdout (request-dumper filter) but no logout event occured in KC.
I dont really understand in details how SAML works, but shouldn't be user logout from SP using SLO? Or maybe I am missing something in KC's client/realm/IP configuration? Thank you for your help/explanation
Upvotes: 0
Views: 3248
Answers (1)
Reputation: 177
Requirements for Global Logout to work
- Clients which are being used for both the service providers should be in the same realm.
- When you log out from IdP, do you see a request being fired to logout from each of the service providers? I believe in your case, it is not calling Logout URL for your SP. That needs to be configured at a client level.
- If logout URL for SP is being called and if even then you are logged into your SP, then it means that SP has some issues in the implementation of Log out.
When you logout from SP first in that case your SP is sending logout request to IdP and that's why you are being logged out from IdP as well as SP. But on the other case, I believe Logout URL is not being called (which could be due to missing configuration in the client).
Can you post a screenshot of the configuration to help you better?
Upvotes: 2
Related Questions
- Keycloak "Unexpected error when handling authentication request to identity provider"
- Keycloak Logout with SAML
- Keycloak: Invalid SAML Response by External IdP
- Connecting keycloak with Active Directory with SAML IDP sends empty response
- SAML Single Logout for Keycloak
- Keycloak SAML IdP gives invalidFederatedIdentityActionMessage after login
- Keycloak not logging out when logged out from identity provider
- Keycloak IDP initiated logout SAML
- When user signs out from SAML Service provider, it does not logs out user from the Salesforce Identity provider
- SAML 2.0, Single Logout issue